Robbery in an amateurish way or about how Yandex stores passwords

Many (habro) people run the risk of "dropping all polymers" using Yandex services to collect correspondence or filter spam from other mailboxes. The question arose especially sharply when, recently, an option for tracking several email accounts appeared in Y. Online. If attackers steal \ pick up the keys to your account, then they will immediately have secondary appearances / passwords in their hands. As the guys from Yandex could have made such a mistake, I can’t imagine. By the way, the situation has been relevant for several years. The following is an illustration of the vulnerability.

Topic prepared by jeditobe , published by me, as the author does not have enough karma. This is his first post.

1. Go to Yandex.Mail, then click on the “settings” and “type of mail” links.

2. We select the "classical" interface.


3. Click on the “settings” and “mail collection”

links 4. Submit to the page with a list of all the boxes that the collector monitors.

5. We select any of the interested entries by clicking on the appropriate link - a pop-up window with settings will open.


6. We look into the source code of the contents of the pop-up window and among the few terms we find some very interesting ones.

Yandex uses the http: // protocol for these pages, which allows you to intercept logins and passwords in network traffic.

UPD Moved to the blog Information security
UPD2 Yandex employee response